From proff  Wed Aug 14 07:41:06 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id HAA19908 for best-of-security; Wed, 14 Aug 1996 07:41:06 +1000
Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id SAA07515 for <proff@SUBURBIA.NET>; Tue, 13 Aug 1996 18:42:46 +1000
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <25164-15996>; Tue, 13 Aug 1996 04:41:53 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id EAA10830; Tue, 13 Aug 1996 04:40:06 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 243613 for BUGTRAQ@NETSPACE.ORG; Tue, 13 Aug 1996 04:34:06
          +2000
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
          (8.7/8.6.12) with SMTP id EAA10358 for <BUGTRAQ@NETSPACE.ORG>; Tue,
          13 Aug 1996 04:33:29 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by
          netspace.org (8.7/8.6.12) with SMTP id EAA08231 for
          <BUGTRAQ@netspace.org>; Tue, 13 Aug 1996 04:16:02 -0400
Received: from matisse.its.rpi.edu (matisse.its.rpi.edu [128.113.113.18]) by
          mail1.its.rpi.edu (8.6.9/8.6.4) with ESMTP id EAA00968; Tue, 13 Aug
          1996 04:15:59 -0400
Received: from localhost (root@localhost) by matisse.its.rpi.edu (8.6.9/8.6.4)
          with SMTP id EAA85747; Tue, 13 Aug 1996 04:16:00 -0400
X-Authentication-Warning: matisse.its.rpi.edu: Host localhost didn't use HELO
                         protocol
Approved-By:  Steve Czetty <czetts@RPI.EDU>
Message-ID: <199608130816.EAA85747@matisse.its.rpi.edu>
Date: 	Tue, 13 Aug 1996 04:15:59 -0500
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
Sender: proff
From: Steve Czetty <czetts@rpi.edu>
Subject:      Re: Vulnrability in all known Linux distributions
X-To:         linux-security@tarsier.cv.nrao.edu
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To:  Your message of "Tue, 13 Aug 1996 07:04:25 EDT."
              <32100CD9.33FBC5AF@mymail.com>

Hi all, after trying the mount exploit recently posted on Bugtraq, and watching it succeed, I quickly went to my mount source (version 2.5k, I don't know if
there's an newer one or not, I wasn't THAT motivated :-) ) and produced the
following patch.  A 'grep strcpy *.c', 'grep sprintf *.c', and 'grep strcat *.c'
was all I did, so I can't guarantee complete security, but it should be better
than it was before..

The problem in this case happens to be in the libc implementation of
realpath(), so I plan to post a patch against libc 5.3.12 shortly as well, and
this patch will not be necessary for THIS security hole.  However, considering
the number of calls to strcpy() and the like, I doubt this will be the last
one we will see with mount.

-Steve

----- CUT HERE -----

diff --recursive --unified mount-2.5k/Makefile mount-2.5k-fixed/Makefile
--- mount-2.5k/Makefile Mon Apr 29 20:25:44 1996
+++ mount-2.5k-fixed/Makefile   Tue Aug 13 03:50:36 1996
@@ -10,7 +10,7 @@
 # For now: a standalone version

 CC = gcc
-OPTFLAGS=      -O2 -fomit-frame-pointer
+OPTFLAGS= -O2 -fomit-frame-pointer
 #CFLAGS = -pipe $(OPTFLAGS)
 WARNFLAGS = -Wall -Wstrict-prototypes -Wmissing-prototypes
 #LDFLAGS = -s -N
@@ -64,10 +64,10 @@
 %.o: %.c
        $(COMPILE) $<

-mount: mount.o fstab.o sundries.o version.o $(NFS_OBJS) $(LO_OBJS)
+mount: mount.o fstab.o sundries.o version.o realpath.o $(NFS_OBJS) $(LO_OBJS)
        $(LINK) $^ $(LDLIBS) -o $@

-umount: umount.o fstab.o sundries.o version.o $(LO_OBJS)
+umount: umount.o fstab.o sundries.o version.o realpath.o $(LO_OBJS)
        $(LINK) $^ $(LDLIBS) -o $@

 swapon:        swapon.o fstab.o version.o
Only in mount-2.5k-fixed/h: loop.h.orig
diff --recursive --unified mount-2.5k/lomount.c mount-2.5k-fixed/lomount.c
--- mount-2.5k/lomount.c        Mon May  6 10:05:10 1996
+++ mount-2.5k-fixed/lomount.c  Tue Aug 13 03:41:06 1996
@@ -95,7 +95,7 @@
     FILE *procdev;

     for(i = 0; ; i++) {
-      sprintf(dev, "/dev/loop%d", i);
+      snprintf(dev, 20, "/dev/loop%d", i);
       if (stat (dev, &statbuf) == 0 && S_ISBLK(statbuf.st_mode)) {
        somedev++;
        fd = open (dev, O_RDONLY);
Only in mount-2.5k-fixed/: mount-exploit.c
diff --recursive --unified mount-2.5k/nfsmount.c mount-2.5k-fixed/nfsmount.c
--- mount-2.5k/nfsmount.c       Sun Mar 24 10:52:02 1996
+++ mount-2.5k-fixed/nfsmount.c Tue Aug 13 03:04:20 1996
@@ -108,7 +108,7 @@

        msock = fsock = -1;
        mclient = NULL;
-       strcpy(hostdir, spec);
+       strncpy(hostdir, spec, 1024);
        if ((s = (strchr(hostdir, ':')))) {
                hostname = hostdir;
                dirname = s + 1;
@@ -140,7 +140,7 @@
        old_opts = *extra_opts;
        if (!old_opts)
                old_opts = "";
-       sprintf(new_opts, "%s%saddr=%s",
+       snprintf(new_opts, 1024, "%s%saddr=%s",
                old_opts, *old_opts ? "," : "",
                inet_ntoa(server_addr.sin_addr));
        *extra_opts = xstrdup(new_opts);
@@ -492,7 +492,7 @@
                if (nfs_errtbl[i].stat == stat)
                        return strerror(nfs_errtbl[i].errno);
        }
-       sprintf(buf, "unknown nfs status return value: %d", stat);
+       snprintf(buf, 256, "unknown nfs status return value: %d", stat);
        return buf;
 }

diff --recursive --unified mount-2.5k/realpath.c mount-2.5k-fixed/realpath.c
--- mount-2.5k/realpath.c       Sat Mar 11 20:39:59 1995
+++ mount-2.5k-fixed/realpath.c Tue Aug 13 03:51:24 1996
@@ -79,7 +79,7 @@
        int n;

        /* Make a copy of the source path since we may need to modify it. */
-       strcpy(copy_path, path);
+       strncpy(copy_path, path, PATH_MAX);
        path = copy_path;
        max_path = copy_path + PATH_MAX - 2;
        /* If it's a relative pathname use getwd for starters. */
@@ -161,8 +161,8 @@
                                return NULL;
                        }
                        /* Insert symlink contents into path. */
-                       strcat(link_path, path);
-                       strcpy(copy_path, link_path);
+                       strncat(link_path, path, (PATH_MAX - strlen(link_path)));
+                       strncpy(copy_path, link_path, PATH_MAX);
                        path = copy_path;
                }
 #endif /* S_IFLNK */
diff --recursive --unified mount-2.5k/sundries.c mount-2.5k-fixed/sundries.c
--- mount-2.5k/sundries.c       Tue Apr 23 14:37:35 1996
+++ mount-2.5k-fixed/sundries.c Tue Aug 13 03:34:15 1996
@@ -354,10 +354,10 @@

   if (path == NULL)
     return NULL;
-
+
   if (realpath (path, canonical))
     return canonical;

-  strcpy (canonical, path);
+  strncpy (canonical, path, (PATH_MAX + 1));
   return canonical;
 }
diff --recursive --unified mount-2.5k/umount.c mount-2.5k-fixed/umount.c
--- mount-2.5k/umount.c Tue Apr 23 14:34:05 1996
+++ mount-2.5k-fixed/umount.c   Tue Aug 13 03:32:56 1996
@@ -67,12 +67,12 @@
       char hostname[MAXHOSTNAMELEN];
       char dirname[1024];

-      strcpy(buffer,spec);
+      strncpy(buffer,spec,256);
               /* spec is constant so must use own buffer */
       if((p = strchr(buffer,':'))) {
               *p = '\0';
-              strcpy(hostname, buffer);
-              strcpy(dirname, p+1);
+              strncpy(hostname, buffer, 256);
+              strncpy(dirname, p+1, 1024);
 #ifdef DEBUG
               printf("host: %s, directory: %s\n", hostname, dirname);
 #endif